b'\x0cThe U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency\nthat provides trade expertise to both the legislative and executive branches of government, determines the\nimpact of imports on U.S. industries, and directs actions against certain unfair trade practices, such as\npatent, trademark, and copyright infringement. USITC analysts and economists investigate and publish\nreports on U.S. industries and the global trends that affect them. The agency also maintains and publishes\nthe Harmonized Tariff Schedule of the United States.\n\n\n\n\n                                             Commissioners\n                                        Irving A. Williamson, Chairman\n                                        Daniel R. Pearson\n                                        Shara L. Aranoff\n                                        Dean A. Pinkert\n                                        David S. Johanson\n                                        Meredith M. Broadbent\n\x0c    UNITED STATES INTERNATIONAL TRADE COMMISSION\n                         OFFICE OF INSPECTOR GENERAL\n\n                                 WASHINGTON, DC 20436\n\n\n\n\nJune 24, 2013                                                       IG-LL-009\n\nChairman Williamson:\n\nThis memorandum transmits the Office of Inspector General\xe2\x80\x99s final report, Audit of\nPublic-Facing Endpoints, OIG-AR-13-10. This audit focused on whether the\nCommission blocks access to network ports that should not respond to the Internet. In\nfinalizing this report, we analyzed management\xe2\x80\x99s comments to our draft report and have\nincluded those comments in their entirety as Appendix A.\n\nThis audit identified two problem areas that culminated in a lack of security for public-\nfacing endpoints. This report presents three recommendations to address the identified\nproblem areas. In the next 30 days, please provide me with your management decisions\ndescribing the specific actions that you will take to implement each recommendation.\n\nThank you for the courtesies extended to the auditors during this review.\n\n\n\n\nPhilip M. Heneghan\n\x0c\x0c                              U.S. International Trade Commission\n                                                     Audit Report\n\n                                                Table of Contents\n\nResults of Audit............................................................................................. 1\n\nProblem Areas............................................................................................... 2\n   Problem Area 1: The Commission did not block access to ports that should not\n   respond to the Internet. ................................................................................................... 2\n\n   Problem Area 2: The Commission did not perform ongoing scanning to detect\n   responding ports.............................................................................................................. 3\n\nObjective, Scope and Methodology............................................................. 4\n\nAppendix A: Management Comments on Draft Report...........................A\n\n\n\n\nOIG-AR-13-10                                                  -i-\n\x0c\x0c                     U.S. International Trade Commission\n                                     Audit Report\n\n\n                                 Results of Audit\nThe purpose of this audit was to answer the question:\n\n       Apart from its intrusion prevention systems, has the Commission secured its\n          public-facing endpoints?\n\nNo. The Commission did not secure its public-facing endpoints.\n\nTo secure its public-facing endpoints, the Commission must block access to network\nports that should not respond to the Internet.\n\nThe ITC\xe2\x80\x99s computer network has over 500 systems, consisting of servers, desktops,\nlaptops, printers, phones, and network infrastructure devices. Every computer is\nconnected to the network with a unique IP (Internet Protocol) address. For example, a\ndesktop PC on the ITC network might have an address like 192.168.50.40. A typical\nWindows PC could have more than 20 responding ports. Each port serves a function; for\ninstance, an Internet browser connects to port 80 to request web pages from a webserver,\nand email servers use port 25 to transfer messages. It would be normal for an unprotected\nnetwork of 500 systems to present 10,000 responding ports, all potential targets for\nattack.\n\nThe goal of perimeter defense is to minimize the number and exploitability of responding\nports, known as the \xe2\x80\x9cattack surface.\xe2\x80\x9d A network with no responding ports is not a\nnetwork: responding ports are required to communicate. Devices such as firewalls are\nconfigured to limit the number of ports exposed to the Internet, and newer technologies\nsuch as Intrusion Detection and Prevention Systems (IDPS) can provide additional\nprotection.\n\nWhen accessed from the Internet, ITC\xe2\x80\x99s network should have had 14 responding IP\naddresses and 26 responding ports to provide the services necessary to support USITC\xe2\x80\x99s\nbusiness functions.\n\nOur scan of responding network ports identified the following:\n\n   x   41 responding ports from 18 different IP addresses,\n   x   15 of 41 ports that should not have responded to our scans,\n   x   4 of 18 IP addresses were detected that should not have been visible, and\n   x   Two ports responded with a telnet login prompt to a network device.\n\nWhen we identified ports that should not have been responding, we immediately notified\nthe CIO\xe2\x80\x99s office, who then took action to block Internet access to those ports.\n\n\n\n\nOIG-AR-13-10                              -1-\n\x0c                     U.S. International Trade Commission\n                                     Audit Report\n\n\nWe conducted two audits simultaneously. One audit examined the effectiveness of the\nCommission\xe2\x80\x99s perimeter defense and found that taken as a whole; the Commission\xe2\x80\x99s\nperimeter defense was effective. (Report No\xe2\x80\xa6) This audit examined a single component\n(responding ports) of the Commission\xe2\x80\x99s perimeter defense. As each component is\nstrengthened, the Commission\xe2\x80\x99s defense as a whole is improved. Resolving the two\nproblems we identified will reduce the risk to the Commission\xe2\x80\x99s network. These problem\nareas are: the Commission did not block access to ports that should not respond to the\nInternet, and it did not perform ongoing scanning to detect vulnerabilities. These problem\nareas are detailed below.\n\n\n\n                                  Problem Areas\n\n                                  Problem Area 1:\n                   The Commission did not block access to ports that\n                         should not respond to the Internet.\n\n\n\nWhen a device is installed on a high-risk, Internet-accessible network, it must be\nconfigured to provide the required functionality while limiting risk. This is typically\nmanaged by blocking Internet access to ports not necessary for required functionality.\n\nWe identified 15 open ports on the USITC network that should not have been accessible\nto the Internet. Two of these ports provided a login screen for direct access to network\ndevices, as seen in the screenshot below:\n\n\n\n\nOIG-AR-13-10                               -2-\n\x0c                     U.S. International Trade Commission\n                                     Audit Report\n\n\nThis type of access should never be allowed to the Internet, especially for a network\ndevice. In this case, new hardware was installed on the Commission\xe2\x80\x99s network, but it\nwas not configured to deny this type of access. A failure to secure network equipment\nincreases the risk to the entire network supported by these devices.\n\nRecommendation 1: Block ports that should not be exposed to the Internet.\n\n\n\n                                Problem Area 2:\n      The Commission did not perform ongoing scanning to detect responding\n                                     ports.\n\n\nNetworks and their systems evolve over time, either deliberately or by chance.\nInstallation and maintenance of devices can result in the inadvertent exposure of ports\nthat should not be accessible to the Internet. The best means to detect and enable the\nresolution of these problems is through thorough scanning of the devices before they are\nexposed to the Internet, and through routine scanning of the network perimeter to detect\nany ports that should not be open.\n\nAt the time of the audit, the Commission was not performing routine scanning of its\nperimeter. Because scanning was not being performed, CIO staff were unaware that\nports were open that should not have been accessible from the Internet.\n\nThe best means of mediating this risk is through vulnerability scanning, on both a\nperiodic basis and on-demand any time a change is made to the environment.\n\nRecommendation 2: Perform scheduled, routine scanning of all perimeter devices on at\nleast a monthly basis.\n\nRecommendation 3: Perform perimeter device scans after new hardware or software is\nintroduced to the ITC perimeter network.\n\n\n\n\nOIG-AR-13-10                               -3-\n\x0c                     U.S. International Trade Commission\n                                     Audit Report\n\n\n                    Objective, Scope and Methodology\nObjective:\n\n       x   Apart from its intrusion prevention systems, has the Commission secured its\n           public-facing endpoints?\n\nScope:\nThis audit documented all non-SMTP responding ports and corresponding IP addresses\naccessible from the Internet on ITCNet during the month of July, 2012. This audit\nenumerated the available points of access, and described the specific access methods for\nthese access points.\n\nMethodology:\n1. The CIO whitelisted the scanning source address so scans would not be blocked by\n   the Intrusion Prevention System.\n2. Using the information provided by the Commission, we performed device service\n   discovery using a toolset that included Nessus, Nmap, and applications within the\n   BackTrack tool suite.\n3. We analyzed and described accessible devices and services.\n4. We compared accessible devices and services with those required to provide business\n   services to the public.\n\n\n\n\nOIG-AR-13-10                              -4-\n\x0c               U.S. International Trade Commission\n                           Appendix A\n\n\n\n\n    Appendix A: Management Comments on Draft Report\n\n\n\n\nOIG-AR-13-10                  -A-\n\x0c\x0c\xe2\x80\x9cThacher\xe2\x80\x99s Calculating Instrument\xe2\x80\x9d developed by Edwin Thacher in the late 1870s. It is a cylindrical, rotating slide\nrule able to quickly perform complex mathematical calculations involving roots and powers quickly. The instrument\nwas used by architects, engineers, and actuaries as a measuring device.\n\x0c\x0c'